In the summer of 2014, executives at a leading national insurance firm worked with FTI Consulting to create an action and response plan in the event of a major data breach. The plan’s guiding principles were clear:
Evaluate the impact of the incident.
Engage corporate leadership according to the risk level involved.
Reassure customers and resolve any impacts without regard to short-term costs.
Prepare communications that would enable the company to convey key messages through every available channel, from call center teams to third-party partners to the public.
The plan also developed categories for the severity of any data breach and standardized ways to report incidents and document the company’s subsequent actions.
In other words, the plan laid out what to do when and who decides what for a range of events and actions, including informing the board and government agencies, as well as engaging third-party investigators and credit monitoring services.
And the action and response plan put in place simulation exercises to prepare for a potential crisis.’
Notably, this company, which has a significant footprint in the healthcare market, has not yet suffered a data breach. But given today’s environment, it is not unreasonable to plan for one. In fact, it would be unreasonable not to do so.
In early February 2015, Anthem, one of America’s largest health insurers, revealed that it had been attacked, with the personal information of some 80 million people exposed. This made it the biggest healthcare data breach in history. At the time of this writing, the hackers had yet to be identified definitively, but individuals somewhere had gained access to Anthem policyholders’ medical identification and Social Security numbers, mailing addresses and email addresses. One danger (among others) is that this information could be used by hackers to perpetrate a variety of frauds. Reportedly, phishing attacks were launched immediately by the hackers, trying to get policyholders to sign up for fake data protection services and provide even more personal information.
The information that hackers and criminals can retrieve by breaching healthcare organizations is considered more valuable than the mere credit card numbers collected in breaches of retail operations. Medical records command much higher prices on the black market than do credit card numbers. It’s easy to cancel a credit card number, and the market is glutted thanks to incidents such as the December 2013 Target breach that compromised more than 40 million customers or the later Home Depot hack that exposed customer emails and over 56 million credit card accounts. Medical records, however, contain Social Security numbers and even physical descriptions that criminals can use to hijack identities, file fraudulent insurance claims, and create all sorts of profitable havoc for themselves while causing great financial damage to individuals and institutions.
All this should be viewed as a flashing red warning light to healthcare organizations. According to a Ponemon Institute study, the cost of a data breach to healthcare organizations in 2014 was far higher than in any other sector of the economy ($359 per capita in the healthcare sector compared with $206 in financial services companies and $155 in consumer products organizations). In addition, more than ever before, the federal government is casting a sharp eye on the data privacy practices of healthcare organizations. The Office for Civil Rights sent a strong message last year to healthcare organizations by increasing its enforcement efforts and identifying 1,200 potential candidates for audits. This includes 800 entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health ("HITECH") Act, as well as 400 business associates. Since September 2009, there have been in excess of 1,000 breaches involving 500 or more entities in healthcare in the United States, with 34 breaches identified in June 2014 alone. Some recent post-breach settlements with the federal government involved NewYork-Presbyterian Hospital/Columbia University Medical Center, which paid $3.3 million in fines, and Columbia University, which settled its case for $1.5 million.
In this environment, it makes sense to have an incident response and crisis management plan in place, both as a way to prevent breaches and to mitigate their cost. Of course, not all breach prevention measures are created equal. Target’s and Home Depot’s defenses turned out to be inadequate, which subjected those companies to severe public criticism. So how should compliance officers, information technology executives, Legal Departments and others charged with overseeing a healthcare organization’s data security begin to assess how vulnerable an organization is, how it can maximize data protection and how it can reduce the cost of a breach when one occurs? What follows are five overarching questions that an officer in an organization should be asking in this age of data breaches.
Do you know where your data are?
A critical component of data and information governance is enterprise data awareness; that is, knowing what data are where and if the most important data are in a secure place. Possessing data awareness means having a complete view of enterprise data sources. The sites most likely to be affected by a breach include unstructured areas such as email, loose files on local drives or networks and files undergoing transfer. Venues also can include structured areas such as enterprise-wide systems. Data often exist simultaneously in multiple locations and in duplicate formats, some more secure than others.
A crucial step in breach prevention is the creation of an enterprise data map. This particularly is important since identifying target information after a breach often isn’t feasible. One effective initial step is to leverage current projects such as post-system migration or other data footprint-related programs to identify data repositories and understand their nature. Keep in mind that a significant number of key data sources can be found offline or outside the native source system. And remember: Just because key systems are protected does not mean the same information cannot exist elsewhere in the enterprise.
Another part of data awareness is monitoring the data entering and leaving an organization. A vital component to the security of data in healthcare systems is encryption protocols for the transmission of protected health information (“PHI”) to and from external vendors. The administration of business associate agreements and the oversight of the data security protocols of vendors and other external parties should be aggressive and continuous. For example, a major HIPAA-related crisis can be precipitated if a 1099 medical coder working for a subcontractor has his car broken into when medical records are laying on the front seat. In fact, monitoring the movement of sensitive data outside an organization is one of the most important elements of an effective data protection program.
Are your cyberdefenses adequate?
In light of the ever-evolving cyber threat environment — and the consequences of a data breach — companies need to take a comprehensive approach to protecting the information they hold. The cyber threat is multi-varied: Not only must businesses defend against external, technical threats such as hackers who seek to penetrate computer networks and steal or corrupt data through sophisticated cyberattacks, but organizations must pay equal attention to insider, non-technical threats as well. These latter categories can range from disgruntled employees who abuse their access to data to company personnel who innocently introduce malicious code into an enterprise’s network through handling low-tech vectors such as infected thumb drives or by clicking links in spam or phishing emails.
There are a number of questions and factors companies should consider in developing a comprehensive information security plan. First, has a cyber risk assessment been conducted? In this respect, businesses not only should identify and assess risks to their own network but also risks associated with any third-party vendors with whom data are stored or shared — an important consideration given that many companies outsource large data storage and backup tasks to outside contractors or share information with joint venture partners.
Second, has a cyber incident plan been developed? Rather than respond in an ad hoc fashion under pressure during a crisis, businesses will be better off if they take the time now to plan a coordinated response to a data breach. This includes deciding how evidence will be collected in a forensically sound manner, how information will be shared internally and externally with law enforcement and regulators, and how the computer network’s integrity will be restored. Pre-planning cuts down on confusion and loss of critical information and puts leadership in the best position to respond efficiently.
Finally, companies should commit to reviewing and updating their information security plan regularly. Periodic reviews are necessary to account for changes in a company’s network as a result of normal operations — including the acquisition of new businesses and their computer networks — and to keep up with the evolving threat landscape.
Are you compliant with HIPAA and HITECH?
HIPAA and HITECH set the standards for the security of electronic PHI and promote the adoption and meaningful use of health information technology. HIPAA and HITECH were designed to protect the confidentiality and security of individual PHI possessed by those entities covered by the laws. This includes health plans, hospital systems and various business associates. To stay compliant, healthcare organizations must continually monitor and adapt their policies and procedures, as well as provide training and education.
Too often, an organization learns how compliant it is only after a breach takes place. This is because answering the question before a breach occurs requires meticulous and time-consuming work. For example, organizations should be evaluating their current structure and policies continuously to ensure compliance with the latest privacy and security standards. This includes a review of all policies and procedures, auditing and monitoring reports, training materials and relevant business associate agreements. The organization or an outside vendor should regularly conduct onsite interviews and security walkthroughs to assess the existing processes and controls in order to determine the company’s operational compliance with HIPAA and HITECH.
Do you have a crisis communications plan?
The 2014 Ponemon Institute study found that what hits an enterprise’s bottom line hardest after a data breach is the loss of customer loyalty. After a breach, companies find they must spend heavily to restore their brand’s image, retain old customers and acquire new ones.
In most cases, HIPAA requires public notification of data breaches within 60 days of the incident, including publishing a notification in the media. Plus states have their own deadlines. But, sometimes, a healthcare organization may want to notify patients, customers or members sooner than the law requires. Or, in the case of some smaller breaches, an organization may decide to pursue a low-profile strategy of minimal notification and publicity. The course taken depends on the scope of the breach, as well as myriad other factors. But one thing experts agree upon is that an organization should have a plan in place for notifying select leaders in the company immediately and for communicating the breach to the outside world. As some organizations have learned, failure to notify and deal with publicity around a breach can result in a significant loss of public trust and consequent damage to an enterprise’s reputation and brand.
Here are some best practices that can help ensure that a company is fully prepared to effectively manage a data breach incident:
Establish and maintain a communications infrastructure: It is essential that a company build a response team that can mobilize swiftly in the event of a breach to manage and coordinate the organization’s overall response efforts. This team should consist of key decision makers, including executive leaders, as well as representatives from information technology and security, public relations, customer service, human resources and the Legal Department. Every member of the data breach response team should understand one’s specific role and duties. Employees should be provided with the necessary resources and training to ensure that they are prepared to successfully discharge their responsibilities.
Establish a structure of internal reporting: A streamlined cybersecurity reporting regimen is necessary to expedite engagement with the data breach response team and prompt key business, operational and communications decisions. A company should have a defined process for reporting a breach once one has been detected, ensuring that all pertinent parties are notified of the situation quickly, as appropriate.
Understand how to properly evaluate the breach: A company’s ability to accurately identify the level of threat it faces enhances its ability to implement the required level of response. If the assessment is conducted properly, the likelihood increases that the company will get its response right. For example, not all breaches require notification according to HIPAA; therefore, it is essential that a healthcare company recognize what constitutes a serious breach, as well as situations that require notification to affected individuals, the media, and the Secretary of Health and Human Services.
Prepare draft communications: Responding speedily and transparently to a data breach demonstrates that a company acknowledges the circumstances and is working to rectify the problem, as well as helping to mitigate the damage of rumors. To ensure a quick response, a company should have on hand communications materials that have been reviewed and approved by executive leaders and the Legal Department (or outside counsel). When a breach occurs, the company easily can adjust the language to the event. Minimum communications include a standby statement, a news release and a notification letter.
Determine a system for handling a notification: Mishandling a notification can lead to fines and other unbudgeted expenses, as well as negatively affect brand reputation and customer loyalty. There generally is little time to verify addresses and to print and mail a notification letter after a breach or to set up a call center and other services for affected stakeholders. Therefore, in most cases, a company should identify and select a vendor in advance that has the resources and capabilities to establish a call center and notify thousands, or even millions, of individuals by mail or email. Also, the company should consider creating a dark website around a breach, which would go live if the real thing happens.
Do you have a culture of compliance?
Beyond establishing policies, procedures and a Code of Conduct, management should make sure that its workforce and business associates clearly understand what the relevant laws, regulations and rules mean on a daily basis. In essence, an organization must develop a culture of compliance to protect patients, customers and members. The once-a- year online tutorials and quizzes that many companies have put in place — as good as these tools may be — do not, by themselves, create a culture of compliance. In the best cases, this type of culture grows out of the commitment of top leadership and an extensive compliance communications program.
Such a program should include several distinct steps:
Translate compliance language into conversational language: Convert the dry material of compliance into a memorable, or even enjoyable, narrative while making it crystal clear why this is critical to the enterprise and to its employees and business associates.
Determine the current state of compliance culture: Use surveys, focus groups, interviews with executives, and reviews of data and materials to establish a benchmark of employee knowledge, attitudes and values. Findings should be compared with best practices inside one’s industry and in other industries.
Program development: Identify channels that are available for communicating with the organization’s workforce and business associates, refreshing those vehicles that have not been used in the recent past and devising new ones. At this point, it is important to develop a communications strategy and engage the company’s top leadership in the program.
Execute a 360-degree compliance communications program: Start by establishing roles for top management so it can publicly demonstrate its commitment to compliance. Follow this by the training of supervisors so that the information cascades throughout the organization through face-to-face meetings, town halls, emails, websites, apps, posters, contests, awards and other channels.
Measure and repeat: Measure and re-measure knowledge, attitudes and beliefs; publicize progress and gaps that must be addressed; readjust and realign the program to make it more effective.
Being compliant with HIPAA, HITECH and other laws and regulations is necessary but not, in itself, sufficient to address all the issues that grow out of a data breach. As Anjanettte H. Raymond, professor at Indiana University, has written that, in most instances, existing laws did not foresee the massive amounts of data that would be collected across environments, and few laws envisioned data collection from a global perspective.
In addition, even if businesses collect information in a legally compliant manner, consumers, including healthcare patients, are growing uneasy about the use and widespread distribution of their personal information. As Raymond says, "While it may seem easier and less costly to sit back and wait for trends to become full-fledged law, customers no longer will wait for these protections and will find it increasingly difficult to understand the apathy of business toward data protection."